Data protection policy

If you wish to contact the CNAP in connection with data protection, please refer to point 7 below.

The National Pension Insurance Office (CNAP) pays particular attention to the protection of privacy and personal data.

As part of its public interest mission, the CNAP, as data controller, is required to process personal data.

The purpose of this policy is to inform data subjects about how we process their personal data.

All processing is carried out in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR) and the Act of 1er August 2018 organising the National Data Protection Commission and implementing Regulation (EU) 2016/679.

Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier (name, identification number), an online identifier, or one or more factors specific to their identity.

Processing is any operation or set of operations which is performed upon personal data or sets of data, whether or not by automatic means, such as collection, recording, storage, alteration, consultation, disclosure by transmission, erasure or destruction.

A controller is the person who, alone or jointly with others, determines the purposes and means by which personal data are, or will be, processed.

1. Who are we and why do we process your data?

The CNAP is a Luxembourg public sector establishment placed under the supervision of the Minister of Health and Social Security, and is responsible for managing pension insurance in accordance with the provisions of Book III of the Social Security Code.

We are responsible for calculating and paying pensions and collecting the documents required to make these calculations and payments under the general pension insurance scheme in the event of old age, invalidity and survival. We are also responsible for recognising child-raising periods ("baby years") and additional periods, for applying the provisions concerning the retroactive purchase of insurance periods, for reimbursing contributions after the age of 65, for transferring contributions from the pension schemes of international organisations and for refunding reimbursed contributions. The management of pension insurance also includes providing information and advice to insured persons.

In the course of our work, we may collect and process your personal data. These data are processed for the purposes of processing your pension application, issuing pension and tax certificates, responding to your requests for information, compiling statistics and for archiving purposes in the public interest.

We undertake to process your data only to the extent necessary to fulfil our duties.

2. What data is collected and processed?

Depending on the purpose, the categories of data likely to be processed are as follows:

• identification data (first name, surname, address, social security number, date of birth, date of death, nationality, status, etc.)
• identification details of persons related to the insured person, such as spouse or divorced spouse, children, parents, siblings (social security number, surname, first name, married name, address, date of birth and death, status, nationality, professional details, professional career)
• electronic identification data (IP address, cookies)
• data on the composition of your household (marriage, marital history, family members)
• enrolment details (enrolment, scheme, start and end of enrolment, enrolment bodies)
• professional data (occupation, salary, employer's name, employer's address, employer's registration number, insurance record)
• financial data (“Relevé d'identité bancaire”, IBAN, BIC/Swift code)
• medical data (medical records, diagnostic codes, data on accidents at work or occupational diseases)
• data relating to image recording (video recording in and around the CNAP building)
• judicial data (appeals, guardianship, judgments, etc.)

3. Will the data be passed on to third parties?

Certain categories of personal data may be transmitted by the CNAP to other authorities or social security institutions. These recipients are also required to comply with data protection regulations.

4. How long is personal data kept?

The CNAP keeps personal data for no longer than is necessary for the purposes for which it is to be used. Some personal data may be kept longer in order to comply with statutes of limitation or other legal provisions.

5. What data is processed when I visit the CNAP website?

Electronic identification data is collected each time a visitor connects to the CNAP website. Please consult the cookie management policy here.

6. What are your rights with regard to the protection of personal data?

In accordance with Articles 13 to 19 of the GDPR, you have:

• a right to be informed,
• a right to challenge a decision taken on the basis of automated processes,
• a right of access,
• a right to rectification,
• the right to be forgotten,
• a right to restriction of processing,
• a right to data portability,
• a right to object,
• a right to limitation and
• the right to lodge a complaint with the competent authority for the protection of personal data in your country.

7.     Who should I contact if I have a question or complaint?

The GDPR requires the appointment of a Data Protection Officer (DPO) when processing is carried out by a public authority or public body.

If you have any questions about our data protection policy, the processing of your personal data or the exercise of your rights, you can send them by post to the attention of the CNAP Data Protection Officer at L-1724 Luxembourg, 1A Boulevard Prince Henri or by using this contact form. In order for us to process your request, it must be accompanied by a copy of your identity card.

You may also lodge a complaint with the National Commission for Data Protection (“Commission nationale pour la protection des données”), located at L-4370 Belvaux, 15, Boulevard du Jazz.